Beware the Predators - DeepSec€¦ · Beware the Predators Toralv Dirro. McAfee Labs EMEA Security...

Malware World 2010Beware the PredatorsToralv DirroMcAfee Labs EMEA Security Strategist

http://www.mcafee.com/common/redirectgeneric.asp?rurl=/us/default.asp�

Confidential McAfee Internal Use Only

$70mio International Cybercrime Ring Busted

• October 1st 2010: Operation Trident Breach– Investigations began in May 2009– 60 criminals charged, 10 arrested– International Partnership with SBU and other authorities

• The Federal Bureau of Investigation, including the New York Money Mule Working Group, the Newark Cyber Crime Task Force, the Omaha Cyber Crime Task Force, the Netherlands Police Agency, the Security Service of Ukraine, the SBU, and the United Kingdom’s Metropolitan Police Service participated in the operation.

– The cyber thieves targeted small- to medium-sized companies, municipalities, churches, and individuals, infecting their computers using a version of the Zeus Botnet. The malware captured passwords, account numbers, and other data used to log into online banking accounts. This scheme resulted in the attempted theft of $220 million, with actual losses of $70 million from victims’ bank accounts

2



FOCUS 09Anatomy of a scareware company

http://www.internetnews.com/security/article.php/3842936/McAfee+FOCUS+09+Anatomy+of+a+Scareware+Scam.htm

Using more than 63 gigabytes of information culled from querying the company's own portal servers and other publicly available data, Dirk Kollberg, from McAfee Labs, unearthed some astonishing operational details including the following: • Innovative Marketing used more than 34 different production servers in less than six months and used

as many as six different servers at a time to infect, advertise and sell their illicit wares. • In one 10-day stretch, the company received more than 4 million download requests, meaning that at

least 4 million people tried to buy the worthless applications. • Internal documents report that the URLs used to hawk the scareware are only valid for 15 minutes,

making it all but impossible for federal, state or international law enforcement agencies to yank the offending URLs before they've moved on to new addresses.

• It used multiple customer call centers, including at least one in Poland and one in India, to service unsuspecting customers calling via VoIP connections to buy, remove or question the need for the unnecessary scareware. And, believe it or not, they recorded and saved these bogus customer service calls. More incredibly, 95 percent of callers exited were "happy" when the call concluded.

• Because they needed an extensive network of ISPs to pull off the scam, Innovative Marketing kept detailed spreadsheets with all the ISPs pertinent data including price, location and, most telling, a column that rate the ISPs "abuseability"—essentially an assessment of which ISPs would play ball and not ask questions as they went about their business.

• The company added a whopping 4.5 million order IDs, essentially new purchases, in 11 months last year. With most of the phony applications selling for $39.95, that's more than $180 million in less than a year.



FTC vs. Innovative Marketing

„ The FTC succeeded in persuading a U.S. federal judge to order Innovative Marketing and two individuals associated with it to pay $163 million it had scammed from Americans. Neither individual has surfaced since the government filed its original suit more than a year ago. But Ethan Arenson, the FTC attorney who handled the case, warned: "Collection efforts are just getting underway."“

(Source: Reuters)



Price Estimates for Credit and Debit Card Dumps

Dumps are information electronically copied from the magnetic stripe on the back of credit and debit cards. Prices for these data vary, depending on the inclusion of the card’s PIN.



The Malware MarketTrojan and Exploit Kits easily available



Zeus: Development of a Trojan Kit



Mergers and Accquisitions: SpyEye & Zeus



9November 25, 20109

Cyber Crime Altering Threat Landscape

Malware Growth (Main Variations)

200,000

400,000

100,000

300,000

500,000

2003 2004 2005 20062000 2001 2002 2007

Source: McAfee Labs

Virus and Bots PUP Trojan

9



1November 25, 2010

2003 2004 2005 20062000 2001 2002 2007


400,000

800,000

200,000

600,000

1,000,000

1,200,000

1,400,000

1,600,000

1,800,000

2,000,000

2,200,000



2008

Source: McAfee Labs10



1November 25, 201011

2008




2,400,000

2,600,000

2,800,000

3,000,000

3,200,000

400,000

800,000

200,000

600,000

1,000,000

1,200,000

1,400,000

1,600,000

1,800,000

2,000,000

2,200,000

2009

Source: McAfee Labs11



Malware still growing strong

New pieces of malware per day:

2007: 16,0002008: 29,0002009: 46,000

Q1/2010: 40.000Q2/2010: 55.000

Q3/2010: 60.000

Number of malware samples in our database

0

10,000,000

20,000,000

30,000,000

40,000,000

50,000,000

Q10

8

Q20

8

Q30

8

Q40

8

Q10

9

Q20

9

Q30

9

Q40

9

Q11

0

Q21

0

Q31

0



Top 10 Malware Globally

1) Generic! AtrGeneric removable-device malware

2) Generic.dxGeneric downloaders and Trojans

3) W32/Conficker.worm!infRemovable-device Conficker worm

4) FakeAlert-FakeSpy!env.aLegitimate-looking fake anti-virus scam

5) Exploit-CVE2008-5353A JRE exploit that downloads a Trojan

6) GameVanceOnline gaming software that collects stats anonymously

7) Generic PUP.xGeneral-purpose potentially unwanted programs

8) Adware-Hotbar.bAdware program

9) Exploit-ByteVerifyJava applet Trojan

10) Adware-URL.genAdware program

Two notable adware programs have joined the top ten list, both spread via malicious websites.



Botnet Infections Held Steady

We have seen new botnetinfections hold steady at around six million per month.

-500,000

1,000,000 1,500,000 2,000,000 2,500,000 3,000,000

Sep-

09

Oct

-09

Nov

-09

Dec

-09

Jan-

10

Feb-

10

Mar

-10

Apr-

10

May

-10

Jun-

10

Jul-1

0

Aug-

10

Sep-

10

Overall Botnet Infections Per Day

-

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

Sep-

09

Oct

-09

Nov

-09

Dec

-09

Jan-

10

Feb-

10

Mar

-10

Apr-

10

May

-10

Jun-

10

Jul-1

0

Aug-

10

Sep-

10

Overall Botnet Infections Per Month



0

100,000

200,000

300,000

400,000

500,000

600,000

700,000S

ep-0

8O

ct-0

8N

ov-0

8D

ec-0

8Ja

n-09

Feb-

09M

ar-0

9A

pr-0

9M

ay-0

9Ju

n-09

Jul-0

9A

ug-0

9S

ep-0

9O

ct-0

9N

ov-0

9D

ec-0

9Ja

n-10

Feb-

10M

ar-1

0A

pr-1

0M

ay-1

0Ju

n-10

Jul-1

0A

ug-1

0S

ep-1

0

AutoRun And Koobface Level Off

Unique AutoRun Samples Discovered

0

5,000

10,000

15,000

20,000

25,000

30,000Ja

n-09

Feb-

09M

ar-0

9A

pr-0

9M

ay-0

9Ju

n-09

Jul-0

9A

ug-0

9S

ep-0

9O

ct-0

9N

ov-0

9D

ec-0

9Ja

n-10

Feb-

10M

ar-1

0A

pr-1

0M

ay-1

0Ju

n-10

Jul-1

0A

ug-1

0S

ep-1

0

Unique Koobface Samples Discovered



Fake Security Software Peaked in ’09But Remains High for This Lucrative Form of Cybercrime

Unique Password Stealers Samples Discovered

Unique FakeAlertSamples Discovered

050,000

100,000150,000200,000250,000300,000350,000400,000

Sep

-08

Oct

-08

Nov

-08

Dec

-08

Jan-

09Fe

b-09

Mar

-09

Apr

-09

May

-09

Jun-

09Ju

l-09

Aug

-09

Sep

-09

Oct

-09

Nov

-09

Dec

-09

Jan-

10Fe

b-10

Mar

-10

Apr

-10

May

-10

Jun-

10Ju

l-10

Aug

-10

Sep

-10

050,000

100,000150,000200,000250,000300,000350,000400,000450,000

Sep

-08

Oct

-08

Nov

-08

Dec

-08

Jan-

09Fe

b-09

Mar

-09

Apr

-09

May

-09

Jun-

09Ju

l-09

Aug

-09

Sep

-09

Oct

-09

Nov

-09

Dec

-09

Jan-

10Fe

b-10

Mar

-10

Apr

-10

May

-10

Jun-

10Ju

l-10

Aug

-10

Sep

-10



Zeus Is In a Class All By Itself

Zeus (Zbot or PWS-Zbot) is spread via download or phishing sites. Some Zeus campaigns switched from text to graphics in emails to avoid anti-spam technologies.



Websites Hosting Zeus

McAfee Labs is finding URLs dedicated to hosting Zeus.

-

500

1,000

1,500

2,000

2,500

Sep-

09

Oct

-09

Nov

-09

Dec

-09

Jan-

10

Feb-

10

Mar

-10

Apr-

10

May

-10

Jun-

10

Jul-1

0

Aug-

10

Sep-

10



Zeus Goes Mobile

User logs onto online

banking website

Tries to make money transfer

Bank asks for

additional code

Code sent to user’s phone via

SMS

User enters code to validate

transaction

Zeus intercepts so it can validate its own transactions

Then Zeus can send a message to the user’s phone directing them to

a malicious website



Cybercriminals Are Optimizing Their Threats for Search Engines

This quarter’s most poisoned search topics:

• Haiti earthquake

• Chile earthquake/Hawaii tsunami warning

• Toyota recall

• Apple iPad

• 2010 NCAA bracket/March Madness

• Tiger Woods apology

• Shamu attack/Florida shark attack

• Olympic luge tragedy

• Groundhog Day

• U.S. Health Care Reform Bill



And They Go Where We Go!

60% of Top Google Search Terms Returned

Malicious Sites in the First 100 Results



Web/Domain Reputation

Number of sites categorized in our Web- and Domain Reputation Services.

Top 15 Website Categories Number of Sites

Malicious Sites 14,475,580

Residential IP Addresses 6,040,787

Spam URLs 4,085,439

Pornography 2,815,319

Content Servers 2,511,339

Business 2,510,899

Phishing 1,474,321

Parked Domains 1,215,048

Travel 1,140,018

Anonymizers 997,863

Online Shopping 979,092

Real Estate 873,159

Instant Messaging 842,263

Government/Military 829,381

Marketing/Merchandising 826,286



Targeted Attacks

23

• A senior Pentagon official reveals details of a previously-classified malware attack he considers “the most significant breach of U.S. military computers ever.”

• Deputy Defense Secretary William J. Lynn III explains that in 2008, a flash drive believed to have been infected by a foreign intelligence agency uploaded malicious code onto a network run by the military's Central Command.

Source: http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain

• "It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."

• The incident led to a massive Pentagon response operation called "Operation Buckshot Yankee" aimed at purging infected systems of the malware and preventing something similar from happening again.


http://www.foreignaffairs.com/articles/66552/william-j-lynn-iii/defending-a-new-domain�


Targeted Attacks

• Targeted Attacks and Advanced Persistent Threats (APT)

• Attackers have lots of Ressources– 0-Days– Customized Malware

• But Ghost Net used of-the shelf Malware

• High Social Engineering Factor– Attachments with supposedly relevant information for the receipient– Links to supposedly relevant information– Email, Social Network Messages, IM

• Low Distribution to stay under the radar



Stuxnet: Under the Hood

• Discovered in July 2010 by VirusBlokAda company in Minsk, Belarus• First seen in Iran, Indonesia, India – now spread worldwide• Targets Siemens WinCC and SIMATIC Process Control System (PCS7)• Using four 0-day vulnerabilities plus Conficker (MS08-067)

– Shortcut icon vulnerability (CVE-2010-2568/MS10-046) – affecting everyversion of Windows since Windows 2000 (even Win95)

– Design flaw in Print Spooler (MS10-061/CVE-2010-2729)– Two privilege escalations exploits [win32k.sys]

• A user opens a folder that contains the .lnk template files (.pif files also vulnerable)• Rootkit drivers signed with valid certificates (Realtek and Jmicron)• UPX packed, XOR encoded everywhere• Once loaded, queries Siemens database with known default password• Connected to C&C servers, sending sensitive data• Manipulating the database to control the HMI output and manipulating the PLC’s



Stuxnet: a Targeted Attack Runs Rampant

Stuxnet, the first malware targeting industrial control systems, threatens critical infrastructure.



Protection Catching Up: „Cloud Security“



About that In-The-Cloud Security Thingie...

• „Invented“ 3 years ago

• Implemented one way or the other by most major AV vendors– And noone really documents what exactly they are doing



So this is how it works

Internet

No detection with existing DATs, but the file is “suspicious”

2

3 Fingerprint of file is created and sent using Artemis

4 Artemis reviews this fingerprint and other inputs statistically across threat landscape

5 Artemisidentifies threat and notifies client

User receives new file via email/web/network/USB1

6 VirusScan processes information and removes threat

Artemis

Collective Threat Intelligence



About that In-The-Cloud Security Thingie...

• „Invented“ 3 years ago

• Implemented one way or the other by most major AV vendors– And noone really documents what exactly they are doing

• So it‘s basically a file reputation service– Comparable to what has been done in other areas long ago

• AntiSpam• Domain Reputation

• Major benefit: Detection Speed (near real-time)– And it makes products look great in any test against collections (>99.9%)



Problems of that Cloud Security Thingie...

• True Serverside Polymorphism– Needs more metadata than just fingerprint

• Detection only available when online– Outbreak situation, Gateway down -> Detection gone



Evolution of Threat Detection

PredictiveLeveraging cloud-based reputation and multi-vector correlation to predict threats

Real-timeBehavior and cloud-based reputation technology reacting to queries

ReactiveTraditional signature-based defenses

0%Inception ofsignature-basedprotection

2007 2008 2010 and beyond

100%

100%

100%

2009

32



Threat Intelligence FeedsCorrelation of various Reputation Feeds

• IP addresses of attackers• Vulnerability utilized• Botnet affiliation• Malware responsible

• Mail/spam sending activity• Web access/referer activity• Malware hosting activity• Hosted files• Popups• Affiliations• DNS hosting activity

• Botnet/DDoS activity• Mail/spam sending activity• Web access activity• Malware hosting activity• Network probing activity• Presence of malware• DNS hosting activity• Intrusion attacks launched

• IP addresses distributing• URLs hosting malware• Mail/spam including it• Botnet affiliation• IPS attacks caused

Malware Domain/URL

IP address IPS attacks/vulnerabilities



Lots of data to correlate

November 25, 201034

• 2.5B Malware Reputation Queries/Month• 20B Email Reputation Queries/Month• 75B Web Reputation Queries/Month• 2B IP Reputation Queries/Month• 300M IPS Attacks/Month• 100M Ntwk Conn Rep Queries/Month• 100+ BILLION QUERIES

Queries

Nodes

• Malware: 40M Endpoints• Email: 30M Nodes• Web: 45M Endpoint and Gateway Users• Intrusions: 4M Nodes• 100+ MILLION NODES, 120 COUNTRIES



An ExamplePredictive Protection Against Widespread iFrame Injection Attack

35

Domain Reputation flagged anomalous web behavior (registration, traffic) for URL

iFrame injection attack ran malicious javascript, responsible for downloading malicious .EXEs

Protect against this attack, even as it propagated to many thousands of websites

May 7, 2010McAfee detects anomalous web activity; predictivelyadjusts web reputation

June 7, 2010McAfee systems pick up massive iFrame injection attack; protect against attack

June 9, 2010The media report iFrameinjection attack on more than 100,000 websites hosted on IIS servers using ASP.net



File Reputation

Evolution of malware detection to take into account the full file reputation spectrum: whitelist, blacklist, and reputation with infinite space for each

Web-hostedFiles

MalwareAssociatedwith Intrustion

Files Containing Web Calls

MalwareFiles

FileCorrelation

TrustedFiles



You are INFECTEDand don’t know it.



You are INFECTEDand know it.You are INFECTEDand don’t know it.



You are INFECTEDand don’t know it…but we DO.

Adding a Third Level of Detection



NDLP

NAC

SaaSSaaS

NIPS NTR NTBA WGNIPS NTR NTBA WG

FWFW

HIPS EGEGHIPS

WEB HIPS

R&C

AM

AC DLP

AM WEB HIPS



Other Protections available (soon)

• Application Control / Whitelisting– Most secure defense against malware, even targeted attacks– Still scaling issues

• Moves from dedicated devices to servers nowadays

• Advanced Behaviour Based Detection– Still on the horizon, gains importance with predictive detection– „Can you tell the difference between VNC and Netbus based on behaviour?“

• Network Based Detection of Irregular Traffic

• Cheap Trick: Mine your DNS Server for Treasure



Questions? More Info?

• Read the McAfee Labs Security Blog– http://www.avertlabs.com/research/blog

• Listen to the AudioParasitics Podcast– http://www.audioparasitics.com

• Read the Monthly Spam Report– http://www.mcafee.com

• Read the McAfee Quarterly Threat Report– http://www.mcafee.com

• Read the McAfee Security Journal– http://www.mcafee.com

• Watch the Stop H*Commerce Series– http://www.stophcommerce.com


http://www.avertlabs.com/research/blog�

http://www.audioparasitics.com/�

http://www.mcafee.com/�



http://www.stophcommerce.com/�

Date post:	09-Jun-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Beware the Predators - DeepSec€¦ · Beware the Predators Toralv Dirro. McAfee Labs EMEA Security...

Documents